Port Scan Blocking Firewall Rule not Working

dolomite792 · July 30, 2014, 4:38am

Good Evening Everyone

I have just implemented the rules found here:

http://wiki.mikrotik.com/wiki/Drop_port_scanners

I then use nmap to do a full scan of my ports from an outside network and sadly I was able to scan everything. All of the rules were easy to add except for the first one:

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w comment="Port scanners to list " disabled=no

For some reason the terminal didn’t like the comment being before the disabled = no entry so I switched it around and it took the rule fine.

However the most important part is that this isn’t working at all. I am able to easily scan all sports using SYN stealth scan.

Any assistance would be greatly appreciated.

rextended · July 30, 2014, 8:06pm

You scan routerboard or other devices?

The link you post is only for detect the scanning of the device you put this rule on (admitting all is configured right).

dolomite792 · July 30, 2014, 8:51pm

Thank you for the reply

So I wondering are these rules supposed to stop wan side port scans? The description on that page says this:

“To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection from those IP”

I copied these rules directly using the terminal and they are present on the firewall rules. Then I tested the router by scanning it with nmap from an outside network. The internal network port scanning rules are working quite well and do block any internal port scans. So should the chain be set to input or forward?

Is there anything else that you could recommend?

Please and thank you

rextended · July 30, 2014, 9:05pm

I reccomend to not lost time.

When you block port scanners what have you obtained?

First of all read this (And consider to add that rules also on input chain):

http://forum.mikrotik.com/t/for-isp-how-to-really-block-invalid-icmp-tcp-udp-packets-and-others-ver-2021/75627/1

And you probably block the most used “hack scanner”

Simply discard / tarpit all incoming connection, except the service you want reach outside:

/ip firewall filter
add action=tarpit chain=forward connection-state=new in-interface=<WAN-INTERFACE> protocol=tcp
add action=drop chain=forward connection-state=new in-interface=<WAN-INTERFACE> protocol=!tcp
add action=tarpit chain=input connection-state=new in-interface=<WAN-INTERFACE> protocol=tcp
add action=drop chain=input connection-state=new in-interface=<WAN-INTERFACE> protocol=!tcp

Put that rule before all your “accept from outside” rules.

dolomite792 · July 31, 2014, 4:30am

Ah thank you for the reply and interesting information. I added these rules:

/ip firewall filter
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input connection-state=invalid
add action=drop chain=forward comment=“TCP flags and Port 0 attacks” protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward dst-port=0 protocol=tcp
add action=drop chain=forward protocol=udp src-port=0
add action=drop chain=forward dst-port=0 protocol=udp
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
add action=accept chain=output connection-state=established
add action=accept chain=output connection-state=related
add action=drop chain=output connection-state=invalid

I was still able to port scan without detection using nmap. Blocking all connections except for what I want in and out seems interesting. However I really want to be able to stop the port scanning, do you have any other recommendations or is there something that I may have missed with these rules? Was I supposed to change any of the “0” for actual ports or anything of that nature? Please let me know.

Thank you

dolomite792 · August 9, 2014, 2:12am

Any suggestions from anyone?

wahidtelco · June 6, 2016, 1:35pm

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w comment="Port scanners to list " disabled=no

above rule is not working, when i apply this rule , my router became reobooted automatically. why?

k6ccc · June 7, 2016, 1:53am

rextended:

Simply discard / tarpit all incoming connection, except the service you want reach outside:

/ip firewall filter
add action=tarpit chain=forward connection-state=new in-interface=<WAN-INTERFACE> protocol=tcp
add action=drop chain=forward connection-state=new in-interface=<WAN-INTERFACE> protocol=!tcp
add action=tarpit chain=input connection-state=new in-interface=<WAN-INTERFACE> protocol=tcp
add action=drop chain=input connection-state=new in-interface=<WAN-INTERFACE> protocol=!tcp

Put that rule before all your “accept from outside” rules.

Doesn’t that need to be AFTER your "accept from outside"rules? If you put it before, EVERYTHING coming in gets either tarpitted (tcp) or dropped (other than tcp) before it ever gets to your “accept from outside” rules. Or am I missing something?

grusu · June 7, 2016, 5:24am

For me works the following rule:

add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=“Port Scanner Detect” connection-limit=0,32 disabled=no limit=0,5:packet log=no log-prefix=“” protocol=tcp psd=21,3s,3,1